US12093820B2 - Automatic generation of an API interface description - Google Patents

Automatic generation of an API interface description Download PDF

Info

Publication number
US12093820B2
US12093820B2 US17/339,949 US202117339949A US12093820B2 US 12093820 B2 US12093820 B2 US 12093820B2 US 202117339949 A US202117339949 A US 202117339949A US 12093820 B2 US12093820 B2 US 12093820B2
Authority
US
United States
Prior art keywords
api
components
request
server
requests
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
US17/339,949
Other versions
US20220318081A1 (en
Inventor
Shubham Jindal
Avinash Kolluru
Ravindra Guntar
Inon Shkedy
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Traceable Inc
Original Assignee
Traceable Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Traceable Inc filed Critical Traceable Inc
Priority to US17/339,949 priority Critical patent/US12093820B2/en
Publication of US20220318081A1 publication Critical patent/US20220318081A1/en
Assigned to Traceable Inc. reassignment Traceable Inc. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JINDAL, SHUBHAM, GUNTUR, RAVINDRA, Shkedy, Inon, Kolluru, Avinash
Application granted granted Critical
Publication of US12093820B2 publication Critical patent/US12093820B2/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/901Indexing; Data structures therefor; Storage structures
    • G06F16/9027Trees
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/90Details of database functions independent of the retrieved data types
    • G06F16/95Retrieval from the web
    • G06F16/955Retrieval from the web using information identifiers, e.g. uniform resource locators [URL]
    • G06F16/9566URL specific, e.g. using aliases, detecting broken or misspelled links
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/552Detecting local intrusion or implementing counter-measures involving long-term monitoring or reporting
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/541Interprogram communication via adapters, e.g. between incompatible applications
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/543User-generated data transfer, e.g. clipboards, dynamic data exchange [DDE], object linking and embedding [OLE]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/54Interprogram communication
    • G06F9/547Remote procedure calls [RPC]; Web services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1425Traffic logging, e.g. anomaly detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/133Protocols for remote procedure calls [RPC]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/034Test or assess a computer or a system
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/2866Architectures; Arrangements
    • H04L67/30Profiles
    • H04L67/303Terminal profiles

Definitions

  • API application program interface
  • the present technology analyzes APIs for a system and automatically generates an API description for the system.
  • the APIs each have an API behavior, which can include a request and a response.
  • Each request and response can have different components.
  • the present system automatically learns characteristics and patterns in the request and response components.
  • the present system can learn API request and response component characteristics based on a distribution of occurrences. The occurrences may be detected as the system receives data about actual API usage between a system and clients. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined.
  • the components can include path parameters, query parameters, request headers, request body, response header, and response body.
  • the characteristics can include parameter types (starting, integer, float, etc.), sensitivity, character distribution, and other characteristics.
  • a method automatically determines a description of interfaces to APIs for a web service.
  • the method includes receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server.
  • Components of the API requests are automatically detected by an application on the server, the components including URL parameters, API request header data, and API request body data.
  • a correct set of request components can be automatically learned by the application based on the API components detected by the application. Anomaly requests to the server API are detected based on comparing subsequent server API requests to the learned correct set of request components.
  • a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method.
  • the method includes receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server.
  • Components of the API requests are automatically detected by an application on the server, the components including URL parameters, API request header data, and API request body data.
  • a correct set of request components can be automatically learned by the application based on the API components detected by the application.
  • Anomaly requests to the server API are detected based on comparing subsequent server API requests to the learned correct set of request components.
  • a system can include a server, memory and one or more processors.
  • One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server, automatically detect components of the API requests by an application on the server, the components including URL parameters, API request header data, and API request body data, automatically learn a correct set of request components by the application based on the API components detected by the application, and detect anomaly requests to the server API based on comparing subsequent server API requests to the learned correct set of request components.
  • FIG. 1 is a block diagram of a system for intelligently naming APIs.
  • FIG. 2 is a block diagram of an application that automatically generates an API description.
  • FIG. 3 is a method that automatically generates an API description.
  • FIG. 4 is a method for detects components of API requests.
  • FIG. 5 is a method learns API request components.
  • FIG. 6 is a method for detecting subsequent APIs as an anomaly based on a baseline comparison.
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
  • the present system analyzes APIs for a system and automatically generates an API description for the system.
  • the APIs each have an API behavior, which can include a request and a response.
  • Each request and response can have different components.
  • the present system automatically learns characteristics and patterns in the request and response components.
  • the present system can learn API request and response component characteristics based on a distribution of occurrences. The occurrences may be detected as the system receives data about actual API usage between a system and clients. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined.
  • the components can include path parameters, query parameters, request headers, request body, response header, and response body.
  • the characteristics can include parameter types (starting, integer, float, etc.), sensitivity, character distribution, and other characteristics.
  • FIG. 1 is a block diagram of a system for intelligently naming (i.e., generating) APIs.
  • the block diagram 100 of FIG. 1 includes client devices 110 - 140 , customer server 150 , network 160 , Application server 170 , and data store 180 .
  • Client devices 110 - 140 may send requests to and receive responses from customer server 150 .
  • the client devices may be any device which can access the service, network page, webpage, or other content from customer server 150 .
  • Client devices 110 - 140 may send a request to customer server 150 , for example to an API provided by customer server 150 , and customer server 150 may send a response to the devices based on the request.
  • the request may be sent to a particular URL provided by customer server 15 - and a response may be sent from the same URL or different URLs. Though only for four client devices are shown, any number of client devices may be used to interact with customer server 150 .
  • Customer server 150 may provide a service to client devices 110 - 140 .
  • Agent 152 on customer server 150 may monitor the communication between customer server 150 and client devices 110 - 140 and intercept traffic between the server and the devices. Upon intercepting the traffic, agent 152 may forward the traffic to application 172 on application server 170 .
  • one or more agents may be installed on customer server 150 , which may be implemented by one or more physical or logical machines. In some instances, server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110 - 140 . In any case, one or more agents 152 may be installed to intercept requests and responses sent between devices 110 - 140 and customer server 150 and for those requests and responses to application 172 on server 170 .
  • Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks.
  • Client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 may all communicate over network 160 .
  • Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein.
  • application server may include one or more applications 172 .
  • the application 172 may be stored on one or more application servers 170 and be executed to perform functionality as described herein.
  • Application server and application 172 may both communicate over network 160 and data store 180 .
  • data store 180 may include one or more APIs, API descriptions, and other data.
  • FIG. 2 is a block diagram of an application that automatically generates an API description.
  • Application 172 of FIG. 2 provides more detail for application 172 of the system of FIG. 1 .
  • Application 172 includes API parsing engine 210 , histogram manager 220 , API compare module 230 , and anomaly alert 240 .
  • API parsing engine 210 may access and detect components of API requests. The engine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API.
  • API parsing engine can also detect portions of each component as they are detected by a remote agent.
  • each API parsing engine can detect component parameters, sensitivity, character distributions, and other data.
  • Component parameters may include a variable type, such as an integer string, or float.
  • Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details.
  • Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body.
  • the characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
  • Histogram manager 220 may generate update, and manage a histogram for each of a plurality of APIs. For example, histogram manager 220 may maintain a histogram for the occurrence of a particular API, API components, parameters, parameter types, parameter values, value length, character distribution, cookies, authorization tokens, JSON objects, sensitivity, and other data with respect to an API.
  • API compare module 230 may compare an API to a generated baseline for an API.
  • Anomaly alert 240 may generate alerts based on comparison results of the API compare module 230 .
  • the API compare unit may send a message with information about the anomaly to anomaly alert 240 , which can then generate an alert for an administrator in a system, for example via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly.
  • FIG. 3 is a method that automatically generates an API description.
  • an agent may be installed in a customer system to intercept live traffic at step 310 .
  • the installation may include one or more agents, as needed, to intercept API requests.
  • the live URL traffic consisting of requests and responses may then be intercepted between user computing devices and servers at step 315 .
  • the live URL traffic including requests, responses, and other communications between a server and a client device, may be forwarded to a remote server at step 320 .
  • the remote server may include an application that automatically generates an API description, as discussed in more detail below, and performs other functionality discussed herein.
  • Components of API requests may be detected at step 325 .
  • different types of requests API parameters may be detected, including path parameters, query parameters, and other parameters. Detecting components of an API request is discussed in more detail with respect to method of FIG. 4 .
  • API requests components can be learned at step 330 .
  • Learning the API request components includes accessing the intercepted traffic and analyzing the traffic for components and parameters that appear in the traffic. More detail for learning API request components is discussed with respect to the method of FIG. 5 .
  • API responses may be analyzed to detect an API header, API body, and other components of an API response.
  • parameters within an API response are detected as well.
  • the detected API response parameters include parameter type (string, integer, float, etc.), sensitivity, character distribution, length of value, and other parameters.
  • a baseline is then generated for an API at step 340 .
  • the baseline may include data for the API description as determined by the histogram, as well as other sources.
  • Subsequent APIs may be compared to the baseline at step 345 .
  • the subsequent APIs may be compared to determine if they match the API or differ from the API.
  • Subsequent APIs may be detected as an anomaly based on the baseline comparison at step 350 . In some instances, if a subsequent API compared to a baseline does not match the baseline, the subsequent API may be identified as an anomaly. Step 350 is discussed in more detail with respect to the method of FIG. 6 .
  • FIG. 4 is a method for detecting components of API requests. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3 .
  • request API path parameters are detected at step 410 .
  • API path parameters may be detected within a URL to which an API request is addressed to. Examples of requests API path parameters include a value type, value length, sensitivity, special character distribution, such as the number of slashes or semicolons, and other values.
  • a request API query parameter is detected at step 420 .
  • the API query parameter may be detected within the URL of an API request, and can include one or more alphanumeric characters and special characters, such as a question mark character.
  • API header parameters may be detected at step 430 .
  • API header parameters may include a cookie, authorization token, and other parameters that are located within the body of an API header.
  • detected parameters within an API request header include value type (string, integer, float, etc.), sensitive data, character distribution, value length, and other parameters.
  • API request body parameters may include input data for the request, a JSON object, data that may be too sensitive to place in a URL, and other data.
  • detected parameters within an API request body include value type (string, integer, float, etc.), sensitive data, character distribution, value length, and other parameters.
  • FIG. 5 is a method for learning API request components. The method of FIG. 5 provides more detail for step 330 of the method of FIG. 3 .
  • a histogram template is generated at step 510 .
  • the histogram template may be generated automatically based on intercepted API behavior, for example including components for each type of detected API component and parameters for type of parameter. In some instances, a histogram template can be based on a default template or generated in some other manner.
  • the template may include one or more API components and one or more parameters for each component.
  • a detected API response component or parameter exists as a histogram element at step 520 . If the API response component or parameter exists as a histogram element, the occurrence of the element in the API response is incremented at step 530 and the method of FIG. 5 continues to step 590 . If the histogram element is not detected in API response, a new histogram element is created and the new element is incremented at step 540 . The method of FIG. 5 then continues to step 550 .
  • the data may be enough if there is at least a minimum number of API requests and responses received, such as 20, 50, 70, 100, or some other number.
  • the data may be enough if a period of time has transpired, such as 5 minutes, 10 minutes, 30 minutes, or some other period of time.
  • there is enough data if a histogram component or element has a minimum number of occurrences, such as for example 10, 15, 20, 30, 50, or some other number of occurrences.
  • the method returns to step 520 . If enough data has been collected, an API interface description is created for request components based on the histogram at step 560 .
  • Tallying histogram element occurrences can be performed in several ways. For example, determining if enough histogram element data has been collected can be performed per API, per component, and/or per parameter. Combinations of requirements can also be implemented. For example, for a particular histogram element to be used to create an API interface description, it may require that at least 10 instances of the API component or parameter are detected and that API traffic has been monitored for at least 5 minutes. It may also be required that the intercepted traffic received for an API is from a minimum number of different sources. Further, once a histogram element is determined to have enough data and an API interface description is generated, the system may continue to intercept API traffic and increment histogram element occurrences. As such, if a histogram element changes over time after an initial API interface description has been created, the API interface description may be changed if the histogram occurrences change over time as well.
  • FIG. 6 is a method for detecting subsequent APIs as an anomaly based on a baseline comparison. The method of FIG. 6 provides more detail for step 350 of the method of FIG. 3 .
  • An event is detected for comparing live traffic to an API baseline at step 610 .
  • the event may include period of time, or some other event.
  • a received API request is compared to a generated API description at step 620 .
  • the received API request may be one of several API requests compared to a generated API description component or parameter.
  • the received API differs from the API description, in some instances, additional analysis can be performed before determining the API is anomalous. For example, if the receive API is one of several received APIs that do not match the API description, there may be a determination as to whether the multiple non-matching APIs are from different users. A determination as to whether received APIs that don't match an API description are received from multiple users at step 640 . Generally speaking, it is not desirable to receive several anomalous requests from a single. To do so could allow the single user to recalibrate data from which the baseline is generated. If the anomalous received APIs are received by different users, the method of FIG. 6 continues to step 630 . If the anomalous received APIs are not received by different users, the received API request is classified as an anomaly at step 650 , and the method ends at step 660 .
  • FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
  • System 700 of FIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110 - 140 , customer server 150 , Application server 170 , and data store 180 .
  • the computing system 700 of FIG. 7 includes one or more processors 710 and memory 720 .
  • Main memory 720 stores, in part, instructions and data for execution by processor 710 .
  • Main memory 720 can store the executable code when in operation.
  • the system 700 of FIG. 7 further includes a mass storage device 730 , portable storage medium drive(s) 740 , output devices 750 , user input devices 760 , a graphics display 770 , and peripheral devices 780 .
  • processor unit 710 and main memory 720 may be connected via a local microprocessor bus, and the mass storage device 730 , peripheral device(s) 780 , portable storage device 740 , and display system 770 may be connected via one or more input/output (I/O) buses.
  • I/O input/output
  • Mass storage device 730 which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use by processor unit 710 . Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 720 .
  • Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from the computer system 700 of FIG. 7 .
  • a portable non-volatile storage medium such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory
  • the system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 700 via the portable storage device 740 .
  • Input devices 760 provide a portion of a user interface.
  • Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices.
  • the system 700 as shown in FIG. 7 includes output devices 750 . Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
  • Display system 770 may include a liquid crystal display (LCD) or other suitable display device. Display system 770 receives textual and graphical information and processes the information for output to the display device. Display system 770 may also receive input as a touch-screen.
  • LCD liquid crystal display
  • Peripherals 780 may include any type of computer support device to add additional functionality to the computer system.
  • peripheral device(s) 780 may include a modem or a router, printer, and other device.
  • the system of 700 may also include, in some implementations, antennas, radio transmitters and radio receivers 790 .
  • the antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly.
  • the one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks.
  • the devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas.
  • the components contained in the computer system 700 of FIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art.
  • the computer system 700 of FIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device.
  • the computer can also include different bus configurations, networked platforms, multi-processor platforms, etc.
  • Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Computational Linguistics (AREA)
  • Evolutionary Computation (AREA)
  • General Health & Medical Sciences (AREA)
  • Molecular Biology (AREA)
  • Biomedical Technology (AREA)
  • Biophysics (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
  • Debugging And Monitoring (AREA)

Abstract

A system analyzes APIs and automatically generates an API description for the system. The APIs each have an API behavior, which can include a request and a response. Each request and response can have different components. The present system automatically learns characteristics and patterns in the request and response components. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined. Once the API description is automatically generated by the system, the API description can be compared to incoming API requests to identify anomalies that can be associated with users without proper credentials.

Description

CROSS REFERENCE TO RELATED APPLICATIONS
The present application claims the priority benefit of U.S. provisional patent application 63/167,649, filed on Mar. 30, 2021, titled “INTELLIGENT APPLICATION PROTECTION,” the disclosure of which is incorporated herein by reference.
BACKGROUND
When analyzing, tracking, or monitoring a system, it is often important to know the specification of the system, including application program interface (API) specifications. However, when monitoring a new system, the API specification and related data is often unknown. This forces administrators and users working with the system to work with uniform resource locators (URL), and for example associate each URL with a particular API. This results in very large numbers of APIs, which requires a large number of resources to work with. What is needed is an improved method for naming APIs.
SUMMARY
The present technology, roughly described, analyzes APIs for a system and automatically generates an API description for the system. The APIs each have an API behavior, which can include a request and a response. Each request and response can have different components. The present system automatically learns characteristics and patterns in the request and response components. In some instances, the present system can learn API request and response component characteristics based on a distribution of occurrences. The occurrences may be detected as the system receives data about actual API usage between a system and clients. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined. The components can include path parameters, query parameters, request headers, request body, response header, and response body. The characteristics can include parameter types (starting, integer, float, etc.), sensitivity, character distribution, and other characteristics. Once the API description is automatically generated by the system, the API description can be compared to incoming API requests to identify anomalies that can be associated with users without proper credentials.
In some instances, a method automatically determines a description of interfaces to APIs for a web service. The method includes receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server. Components of the API requests are automatically detected by an application on the server, the components including URL parameters, API request header data, and API request body data. A correct set of request components can be automatically learned by the application based on the API components detected by the application. Anomaly requests to the server API are detected based on comparing subsequent server API requests to the learned correct set of request components.
In some instances, a non-transitory computer readable storage medium has embodied thereon a program that is executable by a processor to perform a method. The method includes receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server. Components of the API requests are automatically detected by an application on the server, the components including URL parameters, API request header data, and API request body data. A correct set of request components can be automatically learned by the application based on the API components detected by the application. Anomaly requests to the server API are detected based on comparing subsequent server API requests to the learned correct set of request components.
In embodiments, a system can include a server, memory and one or more processors. One or more modules may be stored in memory and executed by the processors to receive, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server, automatically detect components of the API requests by an application on the server, the components including URL parameters, API request header data, and API request body data, automatically learn a correct set of request components by the application based on the API components detected by the application, and detect anomaly requests to the server API based on comparing subsequent server API requests to the learned correct set of request components.
BRIEF DESCRIPTION OF FIGURES
FIG. 1 is a block diagram of a system for intelligently naming APIs.
FIG. 2 is a block diagram of an application that automatically generates an API description.
FIG. 3 is a method that automatically generates an API description.
FIG. 4 is a method for detects components of API requests.
FIG. 5 is a method learns API request components.
FIG. 6 is a method for detecting subsequent APIs as an anomaly based on a baseline comparison.
FIG. 7 is a block diagram of a system for implementing machines that implement the present technology.
 DETAILED DESCRIPTION
The present system analyzes APIs for a system and automatically generates an API description for the system. The APIs each have an API behavior, which can include a request and a response. Each request and response can have different components. The present system automatically learns characteristics and patterns in the request and response components. In some instances, the present system can learn API request and response component characteristics based on a distribution of occurrences. The occurrences may be detected as the system receives data about actual API usage between a system and clients. As clients engage an API, the component data in the requests and responses for the API are monitored and distributions for various characteristics are determined. The components can include path parameters, query parameters, request headers, request body, response header, and response body. The characteristics can include parameter types (starting, integer, float, etc.), sensitivity, character distribution, and other characteristics. Once the API description is automatically generated by the system, the API description can be compared to incoming API requests to identify anomalies that can be associated with users without proper credentials.
FIG. 1 is a block diagram of a system for intelligently naming (i.e., generating) APIs. The block diagram 100 of FIG. 1 includes client devices 110-140, customer server 150, network 160, Application server 170, and data store 180.
Client devices 110-140 may send requests to and receive responses from customer server 150. The client devices may be any device which can access the service, network page, webpage, or other content from customer server 150. Client devices 110-140 may send a request to customer server 150, for example to an API provided by customer server 150, and customer server 150 may send a response to the devices based on the request. The request may be sent to a particular URL provided by customer server 15- and a response may be sent from the same URL or different URLs. Though only for four client devices are shown, any number of client devices may be used to interact with customer server 150.
Customer server 150 may provide a service to client devices 110-140. Agent 152 on customer server 150 may monitor the communication between customer server 150 and client devices 110-140 and intercept traffic between the server and the devices. Upon intercepting the traffic, agent 152 may forward the traffic to application 172 on application server 170. In some instances, one or more agents may be installed on customer server 150, which may be implemented by one or more physical or logical machines. In some instances, server 150 may actually be implemented by multiple servers in different locations, providing a distributed service for devices 110-140. In any case, one or more agents 152 may be installed to intercept requests and responses sent between devices 110-140 and customer server 150 and for those requests and responses to application 172 on server 170.
Network 140 may include one or more private networks, public networks, intranets, the Internet, an intranet, wide-area networks, local area networks, cellular networks, radio-frequency networks, Wi-Fi networks, any other network which may be used to transmit data, and any combination of these networks. Client devices 110-140, customer server 150, Application server 170, and data store 180 may all communicate over network 160.
Application server 170 may be implemented as one or more physical or logical machines that provide application functionality as described herein. In some instances, application server may include one or more applications 172. The application 172 may be stored on one or more application servers 170 and be executed to perform functionality as described herein. Application server and application 172 may both communicate over network 160 and data store 180. In some instance, data store 180 may include one or more APIs, API descriptions, and other data.
FIG. 2 is a block diagram of an application that automatically generates an API description. Application 172 of FIG. 2 provides more detail for application 172 of the system of FIG. 1 . Application 172 includes API parsing engine 210, histogram manager 220, API compare module 230, and anomaly alert 240. API parsing engine 210 may access and detect components of API requests. The engine 210 may detect path parameters, query parameters, request header content, request body content, response API headers and bodies, and other content within a URL, request, or response associated with an API.
API parsing engine can also detect portions of each component as they are detected by a remote agent. For example, each API parsing engine can detect component parameters, sensitivity, character distributions, and other data. Component parameters may include a variable type, such as an integer string, or float. Component sensitivity can include private information, such as credit card information, password information, security question information, email data, and other data that users may prefer to keep quiet or may be used to compromise their account, their finances, or other personal details. Character distribution identification and/or tracking may include detecting the location and number of occurrences of a particular character, for example in a URL, API request header or body, or API response body. The characters may include special characters colon, semicolon, slash, question marks, exclamation marks, asterisks, parenthesis, and other nun-numeric and non-alphabet characters.
Histogram manager 220 may generate update, and manage a histogram for each of a plurality of APIs. For example, histogram manager 220 may maintain a histogram for the occurrence of a particular API, API components, parameters, parameter types, parameter values, value length, character distribution, cookies, authorization tokens, JSON objects, sensitivity, and other data with respect to an API. API compare module 230 may compare an API to a generated baseline for an API. Anomaly alert 240 may generate alerts based on comparison results of the API compare module 230. For example, if a subsequent request is detected to be an anomaly from an automatically determined API request description, the API compare unit may send a message with information about the anomaly to anomaly alert 240, which can then generate an alert for an administrator in a system, for example via message, email, through an interface, in a dashboard, or in some other way that communicates the occurrence of the anomaly.
FIG. 3 is a method that automatically generates an API description. First, an agent may be installed in a customer system to intercept live traffic at step 310. The installation may include one or more agents, as needed, to intercept API requests. The live URL traffic consisting of requests and responses may then be intercepted between user computing devices and servers at step 315. The live URL traffic, including requests, responses, and other communications between a server and a client device, may be forwarded to a remote server at step 320. The remote server may include an application that automatically generates an API description, as discussed in more detail below, and performs other functionality discussed herein.
Components of API requests may be detected at step 325. In some instances, different types of requests API parameters may be detected, including path parameters, query parameters, and other parameters. Detecting components of an API request is discussed in more detail with respect to method of FIG. 4 .
API requests components can be learned at step 330. Learning the API request components includes accessing the intercepted traffic and analyzing the traffic for components and parameters that appear in the traffic. More detail for learning API request components is discussed with respect to the method of FIG. 5 .
Components of API resources may be detected at step 33. The API responses may be analyzed to detect an API header, API body, and other components of an API response. In addition to API response components, parameters within an API response are detected as well. The detected API response parameters include parameter type (string, integer, float, etc.), sensitivity, character distribution, length of value, and other parameters.
A baseline is then generated for an API at step 340. The baseline may include data for the API description as determined by the histogram, as well as other sources. Subsequent APIs may be compared to the baseline at step 345. The subsequent APIs may be compared to determine if they match the API or differ from the API. Subsequent APIs may be detected as an anomaly based on the baseline comparison at step 350. In some instances, if a subsequent API compared to a baseline does not match the baseline, the subsequent API may be identified as an anomaly. Step 350 is discussed in more detail with respect to the method of FIG. 6 .
FIG. 4 is a method for detecting components of API requests. The method of FIG. 4 provides more detail for step 325 of the method of FIG. 3 . First, request API path parameters are detected at step 410. API path parameters may be detected within a URL to which an API request is addressed to. Examples of requests API path parameters include a value type, value length, sensitivity, special character distribution, such as the number of slashes or semicolons, and other values.
A request API query parameter is detected at step 420. The API query parameter may be detected within the URL of an API request, and can include one or more alphanumeric characters and special characters, such as a question mark character.
API header parameters may be detected at step 430. API header parameters may include a cookie, authorization token, and other parameters that are located within the body of an API header. In some instances, detected parameters within an API request header include value type (string, integer, float, etc.), sensitive data, character distribution, value length, and other parameters.
Parameters within an API request body are detected at step 440. In some instances, API request body parameters may include input data for the request, a JSON object, data that may be too sensitive to place in a URL, and other data. In some instances, detected parameters within an API request body include value type (string, integer, float, etc.), sensitive data, character distribution, value length, and other parameters.
FIG. 5 is a method for learning API request components. The method of FIG. 5 provides more detail for step 330 of the method of FIG. 3 . A histogram template is generated at step 510. The histogram template may be generated automatically based on intercepted API behavior, for example including components for each type of detected API component and parameters for type of parameter. In some instances, a histogram template can be based on a default template or generated in some other manner. The template may include one or more API components and one or more parameters for each component.
As components and parameters are detected in intercepted traffic, they histogram is updated to reflect the occurrence of the component or parameter. A determination is made as to whether a detected API response component or parameter exists as a histogram element at step 520. If the API response component or parameter exists as a histogram element, the occurrence of the element in the API response is incremented at step 530 and the method of FIG. 5 continues to step 590. If the histogram element is not detected in API response, a new histogram element is created and the new element is incremented at step 540. The method of FIG. 5 then continues to step 550.
A determination is made as whether histogram has collected enough element data at step 550. In some instances, in order to rely on the histogram data to generate an API description, which includes typical API specification components and additional components, there may be a determination as to whether enough data has been gathered. In some instances, the data may be enough if there is at least a minimum number of API requests and responses received, such as 20, 50, 70, 100, or some other number. In some instances, the data may be enough if a period of time has transpired, such as 5 minutes, 10 minutes, 30 minutes, or some other period of time. In some instances, there is enough data if a histogram component or element has a minimum number of occurrences, such as for example 10, 15, 20, 30, 50, or some other number of occurrences.
If the histogram is not collected enough element data, the method returns to step 520. If enough data has been collected, an API interface description is created for request components based on the histogram at step 560.
Tallying histogram element occurrences can be performed in several ways. For example, determining if enough histogram element data has been collected can be performed per API, per component, and/or per parameter. Combinations of requirements can also be implemented. For example, for a particular histogram element to be used to create an API interface description, it may require that at least 10 instances of the API component or parameter are detected and that API traffic has been monitored for at least 5 minutes. It may also be required that the intercepted traffic received for an API is from a minimum number of different sources. Further, once a histogram element is determined to have enough data and an API interface description is generated, the system may continue to intercept API traffic and increment histogram element occurrences. As such, if a histogram element changes over time after an initial API interface description has been created, the API interface description may be changed if the histogram occurrences change over time as well.
FIG. 6 is a method for detecting subsequent APIs as an anomaly based on a baseline comparison. The method of FIG. 6 provides more detail for step 350 of the method of FIG. 3 . An event is detected for comparing live traffic to an API baseline at step 610. The event may include period of time, or some other event.
A received API request is compared to a generated API description at step 620. In some instances, the received API request may be one of several API requests compared to a generated API description component or parameter.
A determination is then made as to the received API differs from the API description at step 630. If the API does not differ from the API description, a determination is made that the API request is not an anomaly at step 660 and the method of FIG. 6 ends.
If the received API differs from the API description, in some instances, additional analysis can be performed before determining the API is anomalous. For example, if the receive API is one of several received APIs that do not match the API description, there may be a determination as to whether the multiple non-matching APIs are from different users. A determination as to whether received APIs that don't match an API description are received from multiple users at step 640. Generally speaking, it is not desirable to receive several anomalous requests from a single. To do so could allow the single user to recalibrate data from which the baseline is generated. If the anomalous received APIs are received by different users, the method of FIG. 6 continues to step 630. If the anomalous received APIs are not received by different users, the received API request is classified as an anomaly at step 650, and the method ends at step 660.
FIG. 7 is a block diagram of a system for implementing machines that implement the present technology. System 700 of FIG. 7 may be implemented in the contexts of the likes of machines that implement client devices 110-140, customer server 150, Application server 170, and data store 180. The computing system 700 of FIG. 7 includes one or more processors 710 and memory 720. Main memory 720 stores, in part, instructions and data for execution by processor 710. Main memory 720 can store the executable code when in operation. The system 700 of FIG. 7 further includes a mass storage device 730, portable storage medium drive(s) 740, output devices 750, user input devices 760, a graphics display 770, and peripheral devices 780.
The components shown in FIG. 7 are depicted as being connected via a single bus 790. However, the components may be connected through one or more data transport means. For example, processor unit 710 and main memory 720 may be connected via a local microprocessor bus, and the mass storage device 730, peripheral device(s) 780, portable storage device 740, and display system 770 may be connected via one or more input/output (I/O) buses.
Mass storage device 730, which may be implemented with a magnetic disk drive, an optical disk drive, a flash drive, or other device, is a non-volatile storage device for storing data and instructions for use by processor unit 710. Mass storage device 730 can store the system software for implementing embodiments of the present invention for purposes of loading that software into main memory 720.
Portable storage device 740 operates in conjunction with a portable non-volatile storage medium, such as a floppy disk, compact disk or Digital video disc, USB drive, memory card or stick, or other portable or removable memory, to input and output data and code to and from the computer system 700 of FIG. 7 . The system software for implementing embodiments of the present invention may be stored on such a portable medium and input to the computer system 700 via the portable storage device 740.
Input devices 760 provide a portion of a user interface. Input devices 760 may include an alpha-numeric keypad, such as a keyboard, for inputting alpha-numeric and other information, a pointing device such as a mouse, a trackball, stylus, cursor direction keys, microphone, touch-screen, accelerometer, and other input devices. Additionally, the system 700 as shown in FIG. 7 includes output devices 750. Examples of suitable output devices include speakers, printers, network interfaces, and monitors.
Display system 770 may include a liquid crystal display (LCD) or other suitable display device. Display system 770 receives textual and graphical information and processes the information for output to the display device. Display system 770 may also receive input as a touch-screen.
Peripherals 780 may include any type of computer support device to add additional functionality to the computer system. For example, peripheral device(s) 780 may include a modem or a router, printer, and other device.
The system of 700 may also include, in some implementations, antennas, radio transmitters and radio receivers 790. The antennas and radios may be implemented in devices such as smart phones, tablets, and other devices that may communicate wirelessly. The one or more antennas may operate at one or more radio frequencies suitable to send and receive data over cellular networks, Wi-Fi networks, commercial device networks such as a Bluetooth device, and other radio frequency networks. The devices may include one or more radio transmitters and receivers for processing signals sent and received using the antennas.
The components contained in the computer system 700 of FIG. 7 are those typically found in computer systems that may be suitable for use with embodiments of the present invention and are intended to represent a broad category of such computer components that are well known in the art. Thus, the computer system 700 of FIG. 7 can be a personal computer, handheld computing device, smart phone, mobile computing device, workstation, server, minicomputer, mainframe computer, or any other computing device. The computer can also include different bus configurations, networked platforms, multi-processor platforms, etc. Various operating systems can be used including Unix, Linux, Windows, Macintosh OS, Android, as well as languages including Java, .NET, C, C++, Node.JS, and other suitable languages.
The foregoing detailed description of the technology herein has been presented for purposes of illustration and description. It is not intended to be exhaustive or to limit the technology to the precise form disclosed. Many modifications and variations are possible in light of the above teaching. The described embodiments were chosen to best explain the principles of the technology and its practical application to thereby enable others skilled in the art to best utilize the technology in various embodiments and with various modifications as are suited to the particular use contemplated. It is intended that the scope of the technology be defined by the claims appended hereto.

Claims (18)

What is claimed is:
1. A method for automatically determining a description of interfaces to APIs for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server;
automatically detecting components of the API requests by an application on the server, the components including URL parameters, API request header data, and API request body data;
automatically learning a correct set of request components by the application based on the API components detected by the application; and
detecting anomaly requests to the server API based on comparing subsequent server API requests to the learned correct set of request components,
wherein detecting anomaly requests includes:
detecting a set of multiple API requests having request components that differs from the learned correct set of request components,
detecting that the set of multiple API requests is received from a number of users that does not satisfy a threshold, and
determining that the set of multiple API requests is an anomaly based on the difference from the learned correct set of request components and the number of users not satisfying the threshold.
2. The method of claim 1, wherein automatically learning includes determine the occurrences of each component, wherein the correct set of request components is based on the highest number of occurrences for a particular component.
3. The method of claim 2, further including generating a histogram based on the occurrences of each request component.
4. The method of claim 1, further comprising identifying an API description based on the learned correct set of components.
5. The method of claim 4, further comprising:
receiving, by the server from the agent stored on the remote server, subsequent API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server; and
updating the learned correct set of request components by the application based on the API components detected in the in the subsequent API requests by the application.
6. The method of claim 1, wherein the automatically detected components include a special character distribution in an API path parameter.
7. A non-transitory computer readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for automatically determining a description of interfaces to APIs for a web service, the method comprising:
receiving, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server;
automatically detecting components of the API requests by an application on the server, the components including URL parameters, API request header data, and API request body data;
automatically learning a correct set of request components by the application based on the API components detected by the application; and
detecting anomaly requests to the server API based on comparing subsequent server API requests to the learned correct set of request components,
wherein detecting anomaly requests includes:
detecting a set of multiple API requests having request components that differs from the learned correct set of request components,
detecting that the set of multiple API requests is received from a number of users that does not satisfy a threshold, and
determining that the set of multiple API requests is an anomaly based on the difference from the learned correct set of request components and the number of users not satisfying the threshold.
8. The non-transitory computer readable storage medium of claim of claim 7, wherein automatically learning includes determine the occurrences of each component, wherein the correct set of request components is based on the highest number of occurrences for a particular component.
9. The non-transitory computer readable storage medium of claim of claim 8, further including generating a histogram based on the occurrences of each request component.
10. The non-transitory computer readable storage medium of claim of claim 7, further comprising identifying an API description based on the learned correct set of components.
11. The non-transitory computer readable storage medium of claim of claim 10, further comprising:
receiving, by the server from the agent stored on the remote server, subsequent API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server; and
updating the learned correct set of request components by the application based on the API components detected in the subsequent API requests by the application.
12. The non-transitory computer readable storage medium of claim of claim 7, wherein the automatically detected components include a special character distribution in an API path parameter.
13. A system for generating application program interfaces (APIs) from uniform resource locator (URL) information, comprising:
a server including a memory and a processor; and
one or more modules stored in the memory and executed by the processor to receive, by a server from an agent stored on a remote server, API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server, automatically detect components of the API requests by an application on the server, the components including URL parameters, API request header data, and API request body data, automatically learn a correct set of request components by the application based on the API components detected by the application, and detect anomaly requests to the server API based on comparing subsequent server API requests to the learned correct set of request components, wherein the one or more modules are further executable to detect a set of multiple API requests having request components that differs from the learned correct set of request components, detect that the set of multiple API requests is received from a number of users that does not satisfy a threshold, and determine that the set of multiple API requests is an anomaly based on the difference from the learned correct set of request components and the number of users not satisfying the threshold.
14. The system of claim 13, wherein automatically learning includes determine the occurrences of each component, wherein the correct set of request components is based on the highest number of occurrences for a particular component.
15. The method of claim 14, further including generating a histogram based on the occurrences of each request component.
16. The method of claim 13, further comprising identifying an API description based on the learned correct set of components.
17. The method of claim 16, further comprising:
receiving, by the server from the agent stored on the remote server, subsequent API requests sent from a plurality of users to server APIs, the requests intercepted by the agent on the remote server; and
updating the learned correct set of request components by the application based on the API components detected in the subsequent API requests by the application.
18. The method of claim 13, wherein the automatically detected components include a special character distribution in an API path parameter.
US17/339,949 2021-03-30 2021-06-05 Automatic generation of an API interface description Active US12093820B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US17/339,949 US12093820B2 (en) 2021-03-30 2021-06-05 Automatic generation of an API interface description

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US202163167649P 2021-03-30 2021-03-30
US17/339,949 US12093820B2 (en) 2021-03-30 2021-06-05 Automatic generation of an API interface description

Publications (2)

Publication Number Publication Date
US20220318081A1 US20220318081A1 (en) 2022-10-06
US12093820B2 true US12093820B2 (en) 2024-09-17

Family

ID=83448116

Family Applications (5)

Application Number Title Priority Date Filing Date
US17/339,946 Pending US20220318332A1 (en) 2021-03-30 2021-06-05 Intelligent naming of application program interfaces
US17/339,949 Active US12093820B2 (en) 2021-03-30 2021-06-05 Automatic generation of an API interface description
US17/339,951 Pending US20220321587A1 (en) 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions
US17/348,785 Pending US20220318618A1 (en) 2021-03-30 2021-06-16 Multi-api metric modeling using lstm system
US17/349,942 Pending US20220318378A1 (en) 2021-03-30 2021-06-17 Detecting threats based on api service business logic abuse

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US17/339,946 Pending US20220318332A1 (en) 2021-03-30 2021-06-05 Intelligent naming of application program interfaces

Family Applications After (3)

Application Number Title Priority Date Filing Date
US17/339,951 Pending US20220321587A1 (en) 2021-03-30 2021-06-05 Automatic anomaly detection based on api sessions
US17/348,785 Pending US20220318618A1 (en) 2021-03-30 2021-06-16 Multi-api metric modeling using lstm system
US17/349,942 Pending US20220318378A1 (en) 2021-03-30 2021-06-17 Detecting threats based on api service business logic abuse

Country Status (1)

Country Link
US (5) US20220318332A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20230376012A1 (en) * 2022-05-17 2023-11-23 Aspentech Corporation Anomaly Event Detector
US11921847B1 (en) * 2023-07-13 2024-03-05 Intuit, Inc. Detection of abnormal application programming interface (API) sessions including a sequence of API requests using space partitioning data structures
US11900179B1 (en) * 2023-07-13 2024-02-13 Intuit, Inc. Detection of abnormal application programming interface (API) sessions including a sequence of API requests

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190243692A1 (en) * 2017-01-19 2019-08-08 International Business Machines Corporation Analysis of application programming interface usage for improving a computer system
US20200036739A1 (en) * 2018-07-24 2020-01-30 Wallarm, Inc. Ai-based system for accurate detection and identification of l7 threats
US20200125954A1 (en) * 2018-10-17 2020-04-23 Capital One Services, Llc Systems and methods for selecting and generating log parsers using neural networks
US20220006829A1 (en) * 2020-07-02 2022-01-06 Qualys, Inc. Rest API Scanning for Security Testing

Family Cites Families (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6226408B1 (en) * 1999-01-29 2001-05-01 Hnc Software, Inc. Unsupervised identification of nonlinear data cluster in multidimensional data
US7058633B1 (en) * 2002-09-09 2006-06-06 Cisco Technology, Inc. System and method for generalized URL-rewriting
US8635330B2 (en) * 2006-04-24 2014-01-21 Vmware, Inc. Method and system for learning web applications
US20080034424A1 (en) * 2006-07-20 2008-02-07 Kevin Overcash System and method of preventing web applications threats
EP1953995A1 (en) * 2007-01-30 2008-08-06 Seiko Epson Corporation Application execution system, computer, application execution device, and control method and program for an application execution system
US9781148B2 (en) * 2008-10-21 2017-10-03 Lookout, Inc. Methods and systems for sharing risk responses between collections of mobile communications devices
WO2010105184A2 (en) * 2009-03-13 2010-09-16 Breach Security , Inc. A method and apparatus for phishing and leeching vulnerability detection
US9215212B2 (en) * 2009-06-22 2015-12-15 Citrix Systems, Inc. Systems and methods for providing a visualizer for rules of an application firewall
US9112863B2 (en) * 2009-12-14 2015-08-18 International Business Machines Corporation Method, program product and server for controlling a resource access to an electronic resource stored within a protected data environment
WO2013036269A1 (en) * 2011-09-09 2013-03-14 Hewlett-Packard Development Company, L.P. Systems and methods for evaluation of events based on a reference baseline according to temporal position in a sequence of events
US9367421B2 (en) * 2013-12-20 2016-06-14 Netapp, Inc. Systems, methods, and computer programs products providing relevant correlation of data source performance
US9667704B1 (en) * 2014-04-26 2017-05-30 Google Inc. System and method for classifying API requests in API processing systems using a tree configuration
US9729506B2 (en) * 2014-08-22 2017-08-08 Shape Security, Inc. Application programming interface wall
US9699205B2 (en) * 2015-08-31 2017-07-04 Splunk Inc. Network security system
WO2017151515A1 (en) * 2016-02-29 2017-09-08 Palo Alto Networks, Inc. Automatically grouping malware based on artifacts
US10394552B2 (en) * 2016-05-17 2019-08-27 Dropbox, Inc. Interface description language for application programming interfaces
US11663110B2 (en) * 2016-10-31 2023-05-30 International Business Machines Corporation Analysis to check web API code usage and specification
US10942708B2 (en) * 2017-01-10 2021-03-09 International Business Machines Corporation Generating web API specification from online documentation
JP6612468B2 (en) * 2017-03-03 2019-11-27 グーグル エルエルシー System and method for establishing a link between identifiers without disclosing specific identification information
US10740215B2 (en) * 2017-04-26 2020-08-11 Jpmorgan Chase Bank, N.A. System and method for implementing an API validator tool
US10409711B2 (en) * 2017-06-12 2019-09-10 International Business Machines Corporation Automatically running tests against WEB APIs based on specifications
US10620945B2 (en) * 2017-12-21 2020-04-14 Fujitsu Limited API specification generation
US10776189B2 (en) * 2017-12-22 2020-09-15 MuleSoft, Inc. API query
US10452843B2 (en) * 2018-01-11 2019-10-22 ArecaBay, Inc. Self-adaptive application programming interface level security monitoring
SG10201806602VA (en) * 2018-08-02 2020-03-30 Mastercard International Inc Methods and systems for identification of breach attempts in a client-server communication using access tokens
US11797843B2 (en) * 2019-03-06 2023-10-24 Samsung Electronics Co., Ltd. Hashing-based effective user modeling
US20200301760A1 (en) * 2019-03-19 2020-09-24 Honeywell International Inc. Methods and systems for generating and recommending api mashups
US11113029B2 (en) * 2019-04-10 2021-09-07 International Business Machines Corporation Probabilistic matching of web application program interface code usage to specifications
US10747505B1 (en) * 2019-05-17 2020-08-18 Google Llc API specification generation
US11831420B2 (en) * 2019-11-18 2023-11-28 F5, Inc. Network application firewall
US11388216B2 (en) * 2020-01-07 2022-07-12 Volterra, Inc. System and method for generating API schemas for networked services
US10873618B1 (en) * 2020-01-07 2020-12-22 Volterra, Inc. System and method to dynamically generate a set of API endpoints
US10917401B1 (en) * 2020-03-24 2021-02-09 Imperva, Inc. Data leakage prevention over application programming interface

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190243692A1 (en) * 2017-01-19 2019-08-08 International Business Machines Corporation Analysis of application programming interface usage for improving a computer system
US20200036739A1 (en) * 2018-07-24 2020-01-30 Wallarm, Inc. Ai-based system for accurate detection and identification of l7 threats
US20200125954A1 (en) * 2018-10-17 2020-04-23 Capital One Services, Llc Systems and methods for selecting and generating log parsers using neural networks
US20220006829A1 (en) * 2020-07-02 2022-01-06 Qualys, Inc. Rest API Scanning for Security Testing

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Laughter et al., "Detection of Malicious HTTP Requests Using Header and URL Features" (Nov. 1, 2020), pp. 449-468 [retrieved from https://link.springer.com/chapter/10.1007/978-3-030-63089-8_29]. (Year: 2020). *
Sohan, S.M., "Automated Example Oriented REST API Documentation" (2017), pp. 1-156 [retrieved from https://prism.ucalgary.ca/handle/11023/4244]. (Year: 2017). *

Also Published As

Publication number Publication date
US20220318378A1 (en) 2022-10-06
US20220318618A1 (en) 2022-10-06
US20220318081A1 (en) 2022-10-06
US20220318332A1 (en) 2022-10-06
US20220321587A1 (en) 2022-10-06

Similar Documents

Publication Publication Date Title
US12093820B2 (en) Automatic generation of an API interface description
US10902117B1 (en) Framework for classifying an object as malicious with machine learning for deploying updated predictive models
US11271955B2 (en) Platform and method for retroactive reclassification employing a cybersecurity-based global data store
US10121000B1 (en) System and method to detect premium attacks on electronic networks and electronic devices
US10574698B1 (en) Configuration and deployment of decoy content over a network
US10445502B1 (en) Susceptible environment detection system
EP3776307B1 (en) Distributed system for adaptive protection against web-service-targeted vulnerability scanners
US10826931B1 (en) System and method for predicting and mitigating cybersecurity system misconfigurations
US20190207966A1 (en) Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store
US10581874B1 (en) Malware detection system with contextual analysis
US10148693B2 (en) Exploit detection system
US8775333B1 (en) Systems and methods for generating a threat classifier to determine a malicious process
US11240275B1 (en) Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture
JP4808703B2 (en) Method and system for identifying related network security threats using improved intrusion detection audit and comparison of intelligent security analysis
US20240275811A1 (en) Cyber security system and method using intelligent agents
US20140196144A1 (en) Method and Apparatus for Detecting Malicious Websites
AU2024204413A1 (en) Systems and methods for controlling data exposure using artificial-intelligence-based modeling
US11089024B2 (en) System and method for restricting access to web resources
US9621576B1 (en) Detecting malicious websites
US11930030B1 (en) Detecting and responding to malicious acts directed towards machine learning models
US10291492B2 (en) Systems and methods for discovering sources of online content
US11586741B2 (en) Dynamic communication architecture for testing computer security application features
CN113196265A (en) Security detection assay
US20230224314A1 (en) Session based anomaly dectection
CN113709136B (en) Access request verification method and device

Legal Events

Date Code Title Description
FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO UNDISCOUNTED (ORIGINAL EVENT CODE: BIG.); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

FEPP Fee payment procedure

Free format text: ENTITY STATUS SET TO SMALL (ORIGINAL EVENT CODE: SMAL); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NON FINAL ACTION MAILED

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

AS Assignment

Owner name: TRACEABLE INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:JINDAL, SHUBHAM;KOLLURU, AVINASH;GUNTUR, RAVINDRA;AND OTHERS;SIGNING DATES FROM 20230710 TO 20230727;REEL/FRAME:064756/0869

STCB Information on status: application discontinuation

Free format text: ABANDONMENT FOR FAILURE TO CORRECT DRAWINGS/OATH/NONPUB REQUEST

FEPP Fee payment procedure

Free format text: PETITION RELATED TO MAINTENANCE FEES GRANTED (ORIGINAL EVENT CODE: PTGR); ENTITY STATUS OF PATENT OWNER: SMALL ENTITY

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: AWAITING TC RESP, ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE